It's official, your smart TV can be hijacked: Malware is holding viewers to ransom

It's official – you have lived to see the day that your television is now so smart that it can be hijacked, and traditional PC problems with malware and ransomware might soon become a problem in home entertainment too.

The year has only just begun, but already two separate security research firms have released updates about TV-based malware – one type that isn't really meant for TVs, and one type that is going to keep bothering users unless they become extremely vigilant with their smart TV security.

On 6 January, Reddit user moeburn posted that his sister had managed to get a virus on her LG Smart TV through the TV's built-in web browser. "She managed to get a DNS Hijacker that would say: 'Your computer is infected please send us money to fix it' any time she tried to do anything on the TV," he wrote, adding that the pop-up was definitely a virus that refused to go away until he reapplied factory settings to the entire TV.

One-size-fits-all malware

Malware seen on a LG smart TV — What the malware looks like on an LG smart TV (click to enlarge image) Kaspersky Lab

Security firm Kaspersky Lab was intrigued by moeburn's post and decided to investigate. They discovered that the malware was not specifically targeting the smart TV, but instead was designed to work on any device that had a web browser on it.

"[We] ran the file on a LG Smart TV and got the same result. It was possible to close the browser, but it did not change any browser or DNS settings. Turning [the TV] off and on again solved the problem as well. It is possible that other malware was involved in the case reported on Reddit, that changed the browser or network settings," researcher Dirk Kollberg wrote in a blog post.

"But remember, for example, that it's possible to install an app from a USB stick. If your TV runs Android, a malicious app designed for an Android smartphone might even work on your TV. In a nutshell, this case isn't malware specifically targeting Smart TVs, but be aware that such websites, as with phishing generally, work on any OS platform you're using."

Android-based smart TVs are at risk

Malicious smart TV apps - to be safe, don't download apps from third-party websites Trend Micro

Speaking of Android, security research firm Trend Micro recently found that many Android-based smart TVs are still running on older versions of Android before Lollipop 5.0, and malicious apps can abuse a flaw within these old versions of Android to hijack smart TVs to quietly install and serve other malware onto the TV.

"First, the attackers lure owners of smart TVs to the websites mentioned above and get them to install the apps infected with malware. Once these are installed, the attacker will trigger the vulnerability in the system. Well-known exploit techniques like heap sprays or return-oriented programming are used to gain elevated privileges in the system," Trend Micro's mobile threats analyst Ju Zhu wrote in a blog post.

Ju stressed that with elevated permissions, the attackers could install and even update malicious apps on the TV, and that since the apps are only downloaded via an unsecured HTTP connection, there is nothing to stop a second hacker from coming along and using a man-in-the-middle attack to gain control of all the malicious apps on the TV.

It would be useful for a second hacker to do this if the malicious apps installed were somehow serving ads and generating income for the first attackers.

Many users have no idea how to keep their smart TV updated

"While most mobile Android devices can easily be upgraded to the latest version, upgrading smart TV sets may be more challenging for users because they are limited by the hardware. As such, we recommend getting protection solutions installed instead and avoiding the installation of apps from third-party sites," said Ju.

His comments echo a Trend Micro report from December 2015 showing that up to 6.1 million devices in the world, including smart TVs, are currently at risk from remote code execution attacks, because many users never installed the patch for the exploit that was issued back in 2012.

Still, Kaspersky Lab offers some hope – criminals are still mostly focusing on PC and smartphone users because in general, not many people are using their smart TVs to read their email and it is difficult for malware to be compatible for all the different types of smart TV operating systems and hardware.